setspn.exe

  • File Path: C:\Windows\system32\setspn.exe
  • Description: Query or reset the computer’s SPN attribute

Hashes

Type Hash
MD5 706FBA8F9F67D479A792860289853C1B
SHA1 87C43AD8514AF87F069391F96630D4439F537B2B
SHA256 CF095DBD04EBAB55B598E0F27C88304571EDC70F41156567C1700B70CD5E728B
SHA384 C495F6282D75A4E75C2BC6C39FA09A4DD0BB2D4BB17AD721C0803D130C3A619C246DC8488BF9D72F98D265E9E4B25D92
SHA512 2DF637F1A0AC31F66330F4A93EB6C2957CA4F4D501DF4718FAA6982208B794A8D34BB7D4890561D07A11B26677DCAC0B5A4E88EF646CEA83EF6820983E9B6CBC
SSDEEP 384:5Q/B9iDavPAwpJt45OYFNIPPvgwYqzzYrdz24w8W4fM3n/NxzCqzv7YyMsUrlYW2:5ZawDOEagwFzYrdi4ZfUvDOq3Yhrla
IMP 1393340AAB23F97BCF1E08682E940E45
PESHA1 46A4BF73D22A0A0068061BFC471137D153D5FAF6
PE256 63E5821296D8A1EBAF2124DC0E74C70784E580BB51C1DB64354886F73937C434

Runtime Data

Usage (stdout):

Usage: C:\Windows\system32\setspn.exe [modifiers switch] [accountname] 
  Where "accountname" can be the name or domain\name
  of the target computer or user account

  Edit Mode Switches:
   -R = reset HOST ServicePrincipalName
    Usage:   setspn -R accountname
   -S = add arbitrary SPN after verifying no duplicates exist
    Usage:   setspn -S SPN accountname
   -D = delete arbitrary SPN
    Usage:   setspn -D SPN accountname
   -L = list SPNs registered to target account
    Usage:   setspn [-L] accountname   

  Edit Mode Modifiers:
   -C = specify that accountname is a computer account
   -U = specify that accountname is a user account
   
    Note: -C and -U are exclusive.  If neither is specified, the tool
     will interpret accountname as a computer name if such a computer
     exists, and a user name if it does not.

  Query Mode Switches:
   -Q = query for existence of SPN
    Usage:   setspn -Q SPN 
   -X = search for duplicate SPNs
    Usage:   setspn -X 

    Note: searching for duplicates, especially forestwide, can take
     a long period of time and a large amount of memory.  -Q will execute
     on each target domain/forest.  -X will return duplicates that exist
     across all targets. SPNs are not required to be unique across forests,
     but duplicates can cause authentication issues when authenticating
     cross-forest.

  Query Mode Modifiers:
   -P = suppresses progress to the console and can be used when redirecting
    output to a file or when used in an unattended script.  There will be no
    output until the command is complete.
   -F = perform queries at the forest, rather than domain level
   -T = perform query on the speicified domain or forest (when -F is also used)
    Usage:   setspn -T domain (switches and other parameters)
     "" or * can be used to indicate the current domain or forest.

    Note: these modifiers can be used with the -S switch in order to specify
     where the check for duplicates should be performed before adding the SPN.
    Note: -T can be specified multiple times.

Examples: 
setspn -R daserver1 
   It will register SPN "HOST/daserver1" and "HOST/{DNS of daserver1}" 
setspn -S http/daserver daserver1 
   It will register SPN "http/daserver" for computer "daserver1" 
    if no such SPN exists in the domain
setspn -D http/daserver daserver1 
   It will delete SPN "http/daserver" for computer "daserver1" 
setspn -F -S http/daserver daserver1 
   It will register SPN "http/daserver" for computer "daserver1"
    if no such SPN exists in the forest
setspn -U -S http/daserver dauser 
   It will register SPN "http/daserver" for user account "dauser" 
    if no such SPN exists in the domain
setspn -T * -T bar -X
   It will report all duplicate registration of SPNs in this domain and bar
setspn -T bar -F -Q */daserver
   It will find all SPNs of the form */daserver registered in the forest to
    which bar belongs

Usage (stderr):

FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x0000054B
Could not find account help

Loaded Modules:

Path
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\system32\logoncli.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\system32\netutils.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\NTDSAPI.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\system32\setspn.exe
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\WLDAP32.dll
C:\Windows\System32\WS2_32.dll

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: setspn.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/cf095dbd04ebab55b598e0f27c88304571edc70f41156567c1700b70cd5e728b/detection/

Possible Misuse

The following table contains possible examples of setspn.exe being misused. While setspn.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_spn_enum.yml Image\|endswith: '\setspn.exe' DRL 1.0
atomic-red-team index.md - Atomic Test #3: Extract all accounts in use as SPN using setspn [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Extract all accounts in use as SPN using setspn [windows] MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016) MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md - Atomic Test #3 - Extract all accounts in use as SPN using setspn MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md ## Atomic Test #3 - Extract all accounts in use as SPN using setspn MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md The following test will utilize setspn to extract the Service Principal Names. This behavior is typically used during a kerberos or silver ticket attack. MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md setspn -T #{domain_name} -Q / MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md setspn.exe -T #{domain_name} -Q / | Select-String ‘^CN’ -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() } MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.